b'                               INDEPENDENT EVALUATION OF\n\n                        SBA\xe2\x80\x99S INFORMATION SECURITY PROGRAM\n\n                                     REPORT NUMBER 06-01\n\n                                          OCTOBER 7, 2005\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and must not be\nreleased to the public or another agency without permission of the Office of Inspector General.\n\x0c                   U.S. SMALL BUSINESS ADMINISTRATION\n                       OFFICE OF INSPECTOR GENERAL\n                           WASHINGTON, D.C. 20416\n\n                                                           ADVISORY MEMORANDUM\n                                                                  REPORT\n                                                           Issue Date: October 7, 2005\n                                                           Number: 06-01\n\nTo:           Hector V. Barreto\n              Administrator\n\n              Stephen D. Galvan\n              Deputy Administrator\n              Chief Operating Officer\n              Chief Information Officer\n\n              Charles McClam\n              Acting Chief Information Officer\n\n              Delorice P. Ford\n              Chief Privacy Officer\n\n              /S/ Original Signed\nFrom:         Robert G. Seabrooks\n              Assistant Inspector General for Audit\n\nSubject:      Independent Evaluation of SBA\xe2\x80\x99s Information Security Program\n\n        The Federal Information Security Management Act (FISMA) requires the Office\nof Inspector General (OIG) to perform an independent evaluation of the Small Business\nAdministration\'s (SBA) information security program. This report presents the results of\nthat evaluation in accordance with specific FISMA reporting instructions issued by the\nOffice of Management and Budget (OMB).\n\n                      OBJECTIVES, SCOPE AND METHODOLOGY\n\n        The objective of our review was to evaluate SBA\xe2\x80\x99s information security program\nin accordance with FISMA reporting requirements specified in U.S. Code Title 44,\nChapter 35, Section 3545 as well as OMB Memorandum M-05-15. We performed an\nindependent evaluation of SBA\xe2\x80\x99s information security program to reach conclusions\nabout the adequacy of FISMA reporting areas. In making our evaluation, we considered\nprior audits related to SBA\xe2\x80\x99s information systems computer security program issued by\nour office in fiscal year 2005 as well as analyzing pertinent information in SBA\xe2\x80\x99s\nInformation Technology Security and Privacy areas.\n\x0c       Our assessment covered the 20 high-priority systems identified by SBA and its\ncharacterization of compliance with FISMA requirements from September 16, 2004 to\nAugust 15, 2005. OMB Memorandum M-05-15 indicates that we were encouraged to\nprovide any additional narrative in an appendix to the (FISMA) report to the extent those\ncomments provide meaningful insight into the status of the agency\xe2\x80\x99s security or privacy\nprogram.\n\n        We interviewed SBA officials and reviewed documentation on SBA\xe2\x80\x99s\ninformation security program. Our evaluation was performed at SBA\xe2\x80\x99s headquarters\noffice in Washington, D.C. from April 2005 through October 2005.\n\n                               OVERALL EVALUATION\n\n        Generally for FY 2005, the SBA\xe2\x80\x99s computer security program continues to show\nmixed results. SBA continued to have 19 of 20 major systems (95 percent) certified and\naccredited as of the end of our fieldwork on August 15, 2005. However, SBA has not\nbeen able to timely or sufficiently address 161 unimplemented system risk assessment\nvulnerabilities and 50 unresolved OIG audit findings for which recommendations had\nexceeded their estimated target date for completion to correct the issues identified. A\nnumber of these unimplemented audit recommendations and risk assessment weaknesses\nare significant to SBA\xe2\x80\x99s information technology environment.\n\n        For FY 2005, OMB requested an in depth review of SBA\xe2\x80\x99s Certification and\nAccreditation Process. We have identified the following areas which came to our\nattention during the FISMA review process.\n\nFinding 1:     SBA\xe2\x80\x99s Certification and Accreditation Program Does not Meet all\n               Necessary Aspects of NIST Requirements\n\n        We found most processes with respect to SBA\xe2\x80\x99s certification and accreditation (C\n&A) program were implemented appropriately. However, we found three areas that did\nnot fully meet existing National Institute Standards and Technology (NIST) guidance for\nperforming C&A activities. Given the scope of the three exceptions in relation to the\noverall program, we rated the quality of SBA\xe2\x80\x99s C&A process as \xe2\x80\x9cSatisfactory\xe2\x80\x9d in the\nannual FISMA evaluation.\n\na.     Continuous Monitoring of SBA systems is not Incorporated into SBA\xe2\x80\x99s\n       Certification and Accreditation Requirements\n\n        SBA had not fully incorporated continuous monitoring of its information systems\ninto any of the five Certifications and Accreditations (C&A) issued after September\n2004. As a result, SBA is not fully ensuring that its systems are fully protected during\ncertification reviews.\n\n       According to Guidelines for Certification and Accreditation (NIST 800-37)\nSection 3.4 Task 9, the objective of the security control monitoring task is to: (i) select an\n\n\n                                              2\n\x0cappropriate set of security controls in the information system to be monitored; and (ii)\nassess the designated controls using methods and procedures selected by the information\nsystem owner. The continuous monitoring of security controls helps to identify potential\nsecurity-related problems in the information system that are not identified during the\nsecurity impact analysis conducted as part of the configuration management and control\nprocess. The authorizing official and information system owner should agree on the\nsubset of security controls and the frequency of monitoring activity.\n\n       We reviewed C&A packages for five systems finalized after September 2004.\nWe could not identify an appropriate set of security controls in the information system to\nbe monitored for any of the five C&A packages finalized since September 2004.\nAdditionally, we noted in OIG Audit 5-12 issued on February 22, 2005 that:\n\n       Logging and monitoring controls at the network and application level were weak.\n       SBA had no policies and procedures identifying which activities should be logged\n       and how to determine these activities, and had not specified who should review\n       logs and how often. SBA briefly discussed logging in their Procedural Notice\n       9000-1407 and SOP 90-47-1; however, not at a level sufficient to ensure that\n       individuals know what to log, who should review the logs, what the logs should\n       be reviewed for, and how often they should be reviewed.\n\n       We previously recommended in the Audit of SBA\xe2\x80\x99s Information Systems\n       Controls for FY 2004, Audit Report 5-12, that the Chief Information Officer for\n       all SBA internal and contractor supported general support systems and major\n       applications, e.g. Egan Mainframe; SBA and Corio UNIX; Network and\n       Windows 2000; Loan Accounting System, Sybase; JAAMS Oracle, and related\n       application functions:\n\n       \xe2\x80\xa2   Develop and document policies and procedures clearly outlining what\n           activities should be logged, who should be responsible for reviewing logs,\n           what the logs should be reviewed for, how often logs should be reviewed, and\n           how long logs should be retained.\n       \xe2\x80\xa2   Assign responsibility within OCIO Security for the review of application and\n           general support system security logs.\n       \xe2\x80\xa2   Retain audit logs for a sufficient period of time (at least 90 days).\n\nb.     SBA had not Implemented a Comprehensive Configuration Management\n       Capability\n\n        SBA has not fully incorporated a comprehensive configuration management\ncapability into four of five C&A\xe2\x80\x99s issued since September 2004. As a result, SBA is not\nensuring that changes to its systems are documented and controlled. Additionally, the\nassessment of changes to the security of a system are an essential aspect of maintaining\nvalid accreditations of SBA systems.\n\n       According to Guidelines for Certification and Accreditation (NIST 800-37)\nSection 3.4 Task 8, the objective of the configuration management and control task is to:\n\n\n                                            3\n\x0c(i) document the proposed or actual changes to the information system; and (ii) determine\nthe impact of proposed or actual changes on the security of the system.\n\n        We requested configuration management plans for all five systems with C&A\xe2\x80\x99s\nfinalized after September 2004. SBA provided a copy of one configuration management\nplan for the Disaster Credit Management System (DCMS) which had been finalized after\nSeptember 2004. However, we identified that this configuration management plan was\nfor identifying changes to DCMS during development and not for the production\nenvironment. Therefore, that configuration management plan was not applicable to\nmaintaining the DCMS system.\n\n       The SBA Systems Development Methodology requires that configuration\nmanagement plans be created for all new Agency applications and that these plans\ninclude configurations down to the software or product level.\n\n        At the time of our review, OIG identified that a configuration management plan\nfor the contractor operated systems Section 8(a) Small Disadvantaged Business\nManagement Information System and Contract Loan Servicing were not obtained by\nSBA. In addition, SBA could not provide configuration management plans for its\ninternal LAN/WAN system. The C&A documentation for those systems refer to the SBA\nSystems Development Methodology (SDM) as the standard for configuration\nmanagement.\n\n       We concluded that each SBA system should contain a system configuration\nmanagement plan which would document the change control process for that particular\nsystem. SBA should also have its own configuration management plans which document\nthe change control process when SBA requests changes to contractor provided systems.\nThese plans should identify who at SBA would request a change, how that change would\nbe programmed, tested, and moved into production in a controlled manner by SBA\xe2\x80\x99s\ncontractors. These configuration management plans should be validated and tested in the\nC&A process before a system is accredited.\n\nc.     SBA\xe2\x80\x99s Local Area Network / Wide Area Network was Improperly Accredited\n\n        SBA improperly fully accredited its Local Area Network / Wide Area Network\n(LAN/WAN) general support system during its most recent accreditation on May 19,\n2005. This occurred because the LAN/WAN was categorized as \xe2\x80\x9chigh\xe2\x80\x9d during its\nFederal Information Processing (FIPS) 199 system categorization review, and according\nto accreditation documents signed as of May 19, 2005 the LAN/WAN lacked a disaster\nrecovery plan and a back-up recovery facility. As a result, SBA should not have fully\naccredited its LAN/WAN, but issued an \xe2\x80\x9cinterim authority to operate\xe2\x80\x9d accreditation while\nSBA obtained the necessary back-up recovery plan and facility.\n\n       According to NIST Guidelines for Certification and Accreditation of Federal\nInformation Systems, if, after assessing the results of the security certification, the\nauthorizing official deems that the risk to the agency operations, agency assets, or\n\n\n\n                                             4\n\x0cindividuals is unacceptable, but there is an overarching mission necessity to place the\ninformation system into operation or continue its operation, an interim authorization to\noperate may be issued. An interim authorization to operate is rendered when the\nidentified security vulnerabilities in the information system resulting from deficiencies in\nthe planned or implemented security controls are significant but can be addressed in a\ntimely manner.\n\n       Ancillary documentation provided by SBA identified that a backup recovery plan\nand facility had actually been acquired and tested before the certification and\naccreditation was signed by SBA. However, this information was not in the finalized\naccreditation package and therefore the accreditation documentation was not current at\nthe time of signature. SBA should have either issued an interim authority to operate for\nthe LAN/WAN or ensured that significant risks to the system identified in the\nLAN/WAN POA&M were accurately reflected before signature.\n\nRecommendations: We recommend that the Chief Information Officer:\n\n1.A    Fully incorporate \xe2\x80\x9cContinuous Monitoring\xe2\x80\x9d of major applications and general\n       support systems as a task within SBA\xe2\x80\x99s Certification and Accreditation program\n       in accordance with NIST Guidelines for Certification and Accreditation (NIST\n       800-37).\n\n1.B    Require that configuration management plans be incorporated within Certification\n       and Accreditation packages for all SBA systems, including those systems\n       operated by contractors.\n\nFinding 2: SBA\xe2\x80\x99s Privacy Impact Assessment Program did not Meet all Necessary\n      Aspects of OMB Requirements\n\n        A number of newly created Privacy Impact Assessments (PIA) for SBA\xe2\x80\x99s major\nsystems did not contain information to address all necessary aspects of a PIA. This\noccurred because SBA had not analyzed the systems or evidence accompanying the\nsystems beyond completion of the questionnaire. For example, there was no analysis or\nassessment of whether the system complied with privacy requirements based on the\nquestionnaire results or a description of any new or planned changes to the system based\non the results of the PIAs. Additionally, there were no measures to mitigate risks\nidentified for each alternative and the rationale for making changes to the system or\nimplementing controls over the utilization of the data.\n\n        OMB Memorandum 03-22, OMB Guidance for Implementing the Privacy\nProvisions of the E-Government Act of 2002, requires that each agency conduct PIAs for\nelectronic information systems and collections and, in general, make them publicly\navailable. The PIA must identify what choices the agency made regarding an IT system\nor collection of information as a result of performing the PIA. For major information\nsystems, PIAs conducted for these systems should reflect a more extensive analyses of:\n(1) the consequences of collection and flow of information, (2) the alternatives to\n\n\n\n                                             5\n\x0ccollection and handling as designed, (3) the appropriate measures to mitigate risks\nidentified for each alternative, and (4) the rationale for the final design choice or business\nprocess.\n\n       We identified that the answers to the questionnaires which made up SBA PIA\xe2\x80\x99s\nwere not in sufficient detail commensurate to the size and complexity for SBA\xe2\x80\x99s major\ninformation systems and did not address fully areas of previously identified\nvulnerabilities. The following two examples are identified from our review:\n\na.     The Joint Accounting and Administrative System (JAAMS): OIG\xe2\x80\x99s audit\n       report \xe2\x80\x9cSBA\xe2\x80\x99s Implementation of the Joint Accounting and Administrative\n       System (3-32) issued on June 30, 2003; [FOIA Ex. 2].\n\n       a. The following questions were answered as not applicable in the PIA\n          questionnaire \xe2\x80\x93 Section E. Maintenance of Administrative Controls:\n\n               [FOIA Ex. 2]\n\n               We concluded that each of these questions should have been completed in\n               the affirmative. Additionally, an in depth analysis should have been\n               performed identifying what controls either systematic or manual should\n               have been implemented to prevent or detect unauthorized monitoring of\n               employee information within the JAAMS system.\n\nb.     Contract Loan Servicing: During OIG audit \xe2\x80\x9cSBA\xe2\x80\x99s Oversight of the Fiscal\n       Transfer Agent For The 7(A) Loan Program (3-08) issued on January 30, 2003;\n       we had reviewed the Fiscal Transfer Agent\xe2\x80\x99s (FTA) internal procedure manual for\n       setting up loans within the FTA\xe2\x80\x99s information system. The internal procedure\n       manual identified that borrower SSN and co-owner name and address are to be\n       entered into the FTA system.\n\n       a. The following questions were answered as \xe2\x80\x9cNo\xe2\x80\x9d in the PIA questionnaire \xe2\x80\x93\n          Section B. System Application/General Information:\n\n                i. Does this system contain any information about individuals? \xe2\x80\x93 No.\n                      1. Is this information identifiable to the individual? \xe2\x80\x93 No.\n\n               We concluded that both of these questions should have been completed in\n               the affirmative. Additionally, a further review of Contract Loan Servicing\n               was warranted before the PIA was finalized.\n\n       Overall, the Senior Agency Official for Privacy has taken actions to increase\nawareness of privacy issues and improve the quality of PIAs. Among the actions taken or\nplanned for the near future are: Implement a new privacy regulation, improve PIA\nguidance, conduct internal monitoring and auditing, conduct privacy training and develop\nopen lines of communication with system owners and the Inspector General.\n\n\n\n                                              6\n\x0cRecommendations:\n\nWe recommend that the Senior Agency Official for Privacy:\n\n2.A    Ensure that PIAs contain an analysis of the questionnaire answers and an overall\n       assessment of the system compliance to the Privacy Act.\n\n2.B    Require that PIAs for major systems reflect a more extensive analysis of the\n       consequences of collection and flow of information, the alternatives to collection\n       and handling as designed, the appropriate measures to mitigate risks identified for\n       each alternative and the rationale for the final design choice or business process.\n\n                                          ***\n       The OIG FISMA report is attached in the format prescribed and utilizing a\ntemplate file which was provided by OMB.\n\n        The findings included in this report are the conclusions of the Auditing Division.\nThe findings and recommendations are subject to review and implementation of\ncorrective action by your office following the existing Agency procedures for audit\nfollow-up and resolution.\n\n        Please provide us your management decision for each recommendation within 30\ndays. Your management decisions should be recorded on the attached SBA Forms 1824,\nRecommendation Action Sheet,\xe2\x80\x9d and show either your proposed corrective action or\ntarget date for completion, or explanation of your disagreement with our\nrecommendations.\n\n       Should you or your staff have any questions, please contact Jeffrey R. Brindle,\nDirector, IT and Financial Management Group at (202) 205-[FOIA Ex. 2].\n\nAttachment\n\n\n\n\n                                             7\n\x0cScctlon C \' Insp~clorGeneral OYCS~I~IIL1.2.3.0.3nd 5\n\n  Agency N=mc: U.S. Small Bur!ncrr Admlnlrltatton\n\x0c             thl w,   .nd a br mm.1 pmm ma*.        ra.rr *mdhr m .pmq ha drllopd hplrm.nt.d mnd k mampng m ngnry uda p l m d -don and m l l e m r r (POAbM) 7 E v d w th.                                       m wch rm\n             m t m d rdm m rtdll h p u r m g m q tv h-lnq  hem m rs-    plmd.dInme mop&-    m m u H wpsb or -w,       lndude -man5     m h e mr- povlbd b*m\n\n\n\n         . R.ray, to, a m p . n w c & m W y C-54% d r m b m e\n         - 6 a n e h m s . Iol m m p k . w m m w 51-70Y d br bme\n         . Frequcdy lm m m p l * m-mmt.hl714E4         d brbmm\n         -   MOSU~. lor m m p l e . m-mHlly 81-95% d th bme\n         . Alm&    ahwp. tor m m * . .ppolbmndy C\xe2\x82\xac-1Cm%   d m bms\n\n\n\n\n                                        w m mn n\n                                         amplrnnt\n                                                            l p b l r . k I-*\n                                                    mnd m m . p    m u\n                                                                                      povm\n                                                                             tor mar -1s)\n                                                                                                (IMdnpah.      n mal a, -*           *m)-op.              . amat    -.     ta\n                                                                                                                                                                                       .ppmmrny\n                                                                                                                                                                                             &?OOU d m bm.\n\n\n\n\n                                                                                                                                                          - PImat-,\n                                                                                                                                                          -\n                                                                                                                                                                                am*.   .ppmm.UI     B   I   m d lb bme\n                                                                                                                                                                                                                             I!\nI                  LL                    OIG h h n p r .re m-med\n\n\n                                         m m p w plmihun IT r\n                                                                     I*   m   POAW p-.\n\n\n                                                                              ~        ~ to    ~        e       .num(-=-\n                                                                                                                a                   mre\'*ared\'n\'\n                                                                                                                                                      I\n                                                                                                                                                              M y , lor mmplm. n p p o p m . Y 81.85% dthc bme\n\n\n                                                                                                                                                          .~ m a t * h n y for\n                                                                                                                                                                           , m m p i e . sppronmWy ~    6   1 dmm bma\n                                         bmdy r n m m n d r-a m m . 1 .       resou-\n\n\n\n\n                                                                                                                                                                                                                             If\n                                                                                                                                                      I\n    b m m e n k & belw\n    Question 2.2.a. Nineteen out of 20 SBA systems had a valid Certification and Accreditation as of end of fieldworlr on August 15,2005.\nIQucstion 2.2.b. Scvm of 20 SBA systems had a full scope Sccurity Test & Evaluation (ST&E) performed b m v c a September 16,2004 and August 15.2005.\n\n\n\n\n                                                                                                                                                                                                                             k\n    @&on 2.2.c. OIG Audit 5-17 on Contingency of Operations Planning (COOP) identified that all of SBA\'s System Di-               Recovery Plans (SDRF) were in \'draft\' stnbls as of Mach\n    2005. Further, SBA did not use its SDW\'s to actually recover its major systems during recovery 1 s t exercises, but relied upon the expertise of certain personnel who had in depth\n    knowledge of SBA systcms to recover its systems during t& cxercisez. OIG recommended \'finalization\' of all SBA SDRP\'s and the utilization of those SDRF\'s to actually ten\n    rccovery of SBA systems. As of the end of RSMA fieldwork SBA had finalized all of its internal SDRPs. SBA also tested 3 SDFPs for m internally o w e d systems after SDRP plan\n    finalization. We analyzed four SAS-70 reports on contractor provided systems and gave credit for t h r a contractor provided system whereby Disaster Recovery Capability had been\n    verified in SAS-70 audits of SBA\'s contranor computing environment.\n\n    Question 4.a The SBA P O M M identified 292 of 346 (84.39.h) open risk auessmcnt wlncrabil~tiesand audit recommendations.                                                                                                1\n    Question 4.c. The SBA P O M M wntained 106 of 117 (90.60%) open OIG audit ru;ommcnddons.\n\n    Question 4.1 The SBA P O M M idmtified that all 307 weaknesses identified ES opm were p r i o r i t i d The SBA P O M M also identified that 161 of the 307 (52.44%) of weaknesses\n    identified as open had u d e d their c o r r d v c action date. SBA needs to ensure that significant sccurity issues arc addressed in a timely manner and r m i v e appropriate resources.                                !\n                                                                                                                                                                                                                              1\n\n\n    C\n    OIG bssrumm d r m Crrm-.bon and A m d b m R-\n     lmnd.s6. m\n    1-  ,ndu~e.ma    01\n                        r mu, lola MST S p s o d Publocanon -37.\n                          h e FlPS I09 (E-r)l.\n                                                                     OMB k !sw&3np IGr lo pond. quort.br. a u e u r n m l d le m p m y s d c = b o n and uctdlmbon -.\n\n                                                    2004) .SmM.ra lm S-my     Cmepmmbon d F r U . 1 Idonnabon and Idormmbm Sy4uns: u, onrmma .nlmp.d M\n                                                                                                                                                                          l n r r d n p mehama m a a n p p d q.p a a m mnd\n                                                                      \'Gu* lor me S.army hmh-bm and * a t d u b o n d F w d In(am.bon Sy4.m" ( U y .X X Y , lor u m h d m m n d m m d b o n rorllmb.led I(tsl w .2MU\n                                                                                                                                                                . .r *ol. n . u o m ~ e d M S T -em      mn            lo,   I!\n                                                                                                                                                                                                                              9\n                                                                                                                                                                                                                              $\n\n\n\n\n     Comments for Question 5: We reviewed five Certification sod Accreditations finalized miter between October 2004 and August 2005. See the commentr below on SBA\'s C&A                                                    1\n     procus.                                                                                                                                                              4\n     Comment I : SBA\'s Certification and Accreditation process did not include a strategy for "Continuous Monitoring\' as idcntified in NIST 800-37. Section 2.7 for any of the 5 C&A\'s\n     f i n a l i d &a September 2004.\n     Comment 2: SBA\'s accreditation decision for one system rated as "high\' for data sensitivity was at the time improper based upon the fact that amrding to accreditation\n     documentation, the system did not have a wrnplcle and tested disaster rccovery capability. Ancillary information identified that the risk had been wrrected, however this was not\n     reflected in accreditation documentation signed by SBA\n\x0c                                                  Saction B: inspnctor Gensral. Question 6.7, B. a n d 3\n\n                                                     Agsncy Nams: SmallBusinnss Administration\n\n\n\n\n                                                                                                                           -\n                                                                                                                                             I\n                                                                                                                            \\\n     =          k(h.n.n.p.ncy~Matty~npobf)\n                Ys. or No.                                                                                                                 dI\n                                                                                                                                             I\n\n\n\n\n            r                                                                                                                                            J\nI    6.b.\n                Configumtion guides ue nnllabh for lhe produck listed b&w. klenUfy which lottmnis a d d n d in Uw agency wido c#arrHy mnfipuntian pdiq.\n                lnd~cmte4Wher w not any agency systems run tha soltwnrs. h addition,a m b lhe exlenl of implemntstionof UIE manily wmipuration policy on\n                the system mninp Uw lomvua.\n\n\n\n\n                                                                                                           1-   aysGstun&(~..olbmn\n                                                                                                                Bomthnu, won u l ~ ~ o x h v b61-70%\n                                                                                                                                              lv     d\n\n\n\n\nL.                                                        y-, NO.\n                                                           or MIA                    Y u w No.\n                                                                                                            cptmm&tkk.o(h.n\n\x0cI                                                                          Question 7\n\nIndicate uhttmf or not the following policies and pmmdum am in plam at your a p n q . IfmppmpriPt. or nacesmry,indud. mnmmb in mo area pmvidd Wow.\n\n                  The agency f o h doar-            p o b r and procedure8 for d\n                                                                               i -g       and r e w g\n      a.          m     ~     ~   l     y       .                                                                                  Yea\n                  Yes w No.\n                  The agency folavr documenied pdickr and pmadum for exterrul nporthg to Law\n      7.b.        mformm~nl   aauthofkk.                                                                                           Ya\n                  Yea or No.\n               The agency f o h d h d pmedurcu for reportingto the U n b d States Computer\n       7s.     Emergency Readiness Team (USCERT). h n p J h w w . u ~ g o v                                           70s\n               Yes w No.\nComments: Durhg the year, SBA submitted 9 of 12 monthly worts to FdCIRC on tine. SBA dehyad up to throe months h sutunllfhg Us reports to FecCIRC\n                  -\nbehuwn 10101104 12nl104.\n\n\n\n                  Has the agency Muursd secudly bahhg and aw8mnm~of a0 m p b y w c , hduding\n                  contrsdorr and those e m p b p s M h rlgnkanl IT seanity responsbWes?\n\n\n\n        8\n                  -Response Cholces hclude:\n                    Ranly, or, appmxinately   of e m p b p s have rumcbnt trahhg\n                                             0.50%\n                   - Sometbne6, w appmhatety 51-70% of wnpbyees have stdkiml trahhg                        - w,     or appmxhmiely81-852 of mnpbpaa b v r\n                   - FmquMtly, or appmxhhty 7140% of empbyees have sumcbnt trahhg                          udfk%nt t m h g\n\n                   - Mostly, w appmxinably 8145% of ampbyeas have sufkient trahhg\n                   - Amoot A b y s , or approxinately 9&100% of empbyeer have wmcknt bainhg\n\n\n                                      SBA provided\n                                      records that\n                                      3,053 of\n                                                                                 SBA har n d hpbmented\n                                      3,458 (88.3%)\n                                                                                 an adequate tmhhg\n                                                                                 program for thoae\n    Comments:                         of penonnd                                 empkyws and\n                                      took "End-\n                                      User Seculily\n                                                                                 contndon w#h s i g n h n t\n                                                                                 IT ~ c u *~tyrsrponabl[tbs.\n                                      Tnhhg m PI\n                                      2005.\n\n\n\n\n                   Does the agency explsh p o b regarding pesr-bpcm f h sharhg h IT security\n                   Pwsmness bainhg. ethlu trenhg, w m y other agency wide trahhg?                                                   yea\n                   Yes w No.\n\x0c                                                                                                    ATTACHMENT A\n\n\n\n                                         REPORT DISTRIBUTION\n\n\nRecipient                                                                                                 No. of Copies\n\nOffice of the Chief Financial Officer\nAttention: Jeffrey Brown ........................................................................................1\n\nGeneral Counsel.......................................................................................................3\n\nOffice of Management and Budget..........................................................................1\n\nU.S. Government Accountability Office .................................................................1\n\x0c'